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I  INTRODUCTION 


A.  BACKGROUND 


o       .  The  magnitude  of  the  computer  security  problem  is  just  8crrfnrfn«»  A  recent 

ilnpurl  -of  the  American  Bar  Association  revealed  that  nearly  50%  of^300  .^.^j^^  /osseS  fV^ol'^d 

respondent  companies  reported  losses  from  two  to  ten  million  dollars 

from: 

Unauthorized  computer  use. 
Theft  of  software. 
Theft  of  assets. 

AM 

o        The  survey  showed  that  computer  crime  losses  were  predominate+7- f rom 
within  the  organization. 

o        The  executive  felt  that  the  gap  between  computer  technology  and  security  is 
widening. 

r  r 

o         It  is  difficult  to  impress  upon  management/  that  a  magne^tic  tape  (or  micro 
disk)  costing  well  under  $100  contains  Information  valued  at  over  several 
million  dollars. 
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The  object  of  this  Information  Systems  Program  (ISP)  report  on  Protecting  the 
Corporate  Software  Investment  is  to  evolve  stra^fegies  of  protecting  software^ 
'^developed  in-house,^«m€l^ acquire^^rom  loss  or  unauthorized  access  in  the 
mainframe,  distributed,  and  personal  computer  environments. 


0- 

The  subject  chosen  resulted  from  high  client  interest,  rapidly  changing 

A 

information  processing  operating  environment  due  to  personal  computers,  and 
the  growing  importance  of  computer  information  security  to  corporate 
management. 


This  report  is  targeted  toward  the  information  systems  manager,  the  vice 
president  of  administration,  and  the  corporate  security  director. 


B.       SCOPE  AND  METHODOLOGY 


Although  this  report  includes  a  global  discussion  of  information  system 

security,  its  main  focus  is  on  softworfe  ■oecurltH.lboth  applications  and  systems 

-5<-Hi4i->ia5U4»»  or  «*^\ 

softward^eveloped  in-house,,-efi^cquired.  The  report  considers  software 

security  with  r^ect  to  utilization  on  host  processors,  the  distributed 

environment,  and  personal  computers. 

The  report  can  be  used  as  an  aid  in  planning  for  software  security  in  a  rapidly 
changing  information  systems  environment,  including  distributed  processing 
and  widespread  use  of  personal  computers. 


The  research  program  consisted  of  interviewing  both  vendors  (ten)  and  users 
(six),  particularly  users  involved  with  security  issues  related  to 
microcomputers.  Additional  material  was  gathered  from  interviexAjwIth 
industry  experts,  ifom  INPUT'S  research  f il^^nd  from  an  extensive  literature 
search  and  analysis.  ) 
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The  research  summary  analysis  and  findincr^are  organized  in  the  following 
ehqpterst 

Chapter  II  is  the  executive  summary  in  presentation  format  and  ^ 
supporting  discussion. 

Chapter  III  covers  the  ^eopiej3sp»c4s  related  to  protecting  the 

corporate  systems  and  so^ware  investment. 

A 

Chapter  IV  outlines  the  process  of  and  options  in  developing  a  software 
security  methodology. 

Chapter  V  presents  strategies  for  designing  and  developing  secure 
systems  and  application  software. 

Chapter  VI  examines  the  implications  of  and  emerging  technology 
related  to  protecting  corporate  systems  and  software  in  the 
microcomputer  and  distributed  processing  environment. 

Chapter  VII  summarizes  and  recommends  peop4e,  administrative,  and 
technology  strategies  to  protect  the  corporate  systerr? and  software 
investment  in  a  rapidly  changing  information  systems  environment. 

Appendix  A  contains  specialized  definitions  that  relate  to  computer 
information  system  security. 


delated  INPUT  report/ of«  contained  in  Appendix  B. 


The  vendor^uestionnaire  is  found  in  Appendix  C. 
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EXECUTIVE  SUMMARY 


Note:  This  executive  summary  is  designed  in  a  presentation  format  in  order 
to: 

Help  the  busy  reader  quickly  review  key  research  findings. 

Provide  ready-to-go  executive  presentations  complete  with  a  script,  to 
facilitate  group  communication. 

The  key  points  of  the  entire  report  are  summarized  in  ExhibitjII-l  through  II- 
3.  On  the  left-hand  page  facing  each  exhibit  is  a  script  explaining  its 
contents. 
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A. 


ESTABLISH  A  BASELINE  FOR  INFORMATION  SYSTEMS  AND 


SOFTWARE  PROTECTION 


The  transfer  of  electronic  intelligence  from  the  data  processing  center  to  the 
user  environment  makes  protecting  information  systems  and  software  a 
people,  and  hence  a  top  management,  problem.  It  is  essential  that  corporate 
management  be  aware  of  the  awakening  security  giant  and  be  involved  in  the 
strategies  of  protecting  the  corporate  information  nerve  centers  used  to 
conduct  ttre  heaTt-e^corporate  business  activity. 


The  key  to  coping  with  information  systems  dynamics  is  the  careful  selection 
of  the  security  director,  m*  placement  hign  in  the  corporate  organization,  and 


backing^by  top  management. 


A 

lement. 

Protecting  the  corporate  system  and  software  investment  is  in  the  final 
analysis  the  responsibility  of  well-motivated  users  at  each  corporate  level. 
Education  promoting  awareness  and  responsibility  best  mot ivatej personnel  to 
maintain^protection  of  corporate  trade  secrets,*m^informatIon  systems ^nd 
software.  ^.^^  ) 

Cost-effective^gfflMjMp     corporate  information  systems  and  software  Irf 

ith  available  and  emerging  security  technologies  in  the  mainframe, 

user  network,  and  intelligent  teminal  areas  can  raise  the  ante ^  commi^ng 

fraud  to  prohibitively  high  or  at  least  insurable  level^ 

A 
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B.       SECURITY  PROTECTION  IS  A  THREE-DIMENSIONAL  ASSESSMENT 


Strategies  for  protecting  ihe  corporate  information  systems  and  software 
investment  are  assessed  in  three  dimensions:  (I)  people  really  countj^)  good 
administration  is  a  necessary  component^  (3)  technology  is  the  first  line  of 
defense.  A  » 

Strategies  related  to  users  at  all  levels  include:,  (I)  (Corporate  security  policy, (hj'^'c.K  »5 
promulgated  and  back^by  top  management!  wtrfC^'ncorporates  user  ^ 
responsibiliti^fcode  of  ethics,  and  risk  assessment;  (2)  j^election  of  a  security 
director  experienced  in  company  operations,  placed  high  in  the  corporate 
organization,  backed  by  and  responsible  to  top  corporate  managetrient;  (3) 
Heightened  user  awareness  through  continued,  varied,  and  ctn  i  ei  1 1  briefings  to 
small  groups  of  users  and  executives;  and  (4)  Personnel  strategies  i.Rcludiog 
background  investigation,  hiring  and  termination  procedures,  annual  security 
evaluations,  and,  as  necessary,  separation  of  duties. 

P 

Basic  administrative  strategies  include  fire  protection  with  preferably  halon 
systeny^uplicate  storage  of  system  applications  software,  preferably 
encrypted  and  at  two  outside  secure  locations;  legal  protection  through 
copyright  and  trade-secret  registration;  and  insurance  under  complying 
conditions  against  both  fraud  and  disaster. 

Use  of  technology  to  protect  corporate  information  systems  and  software  as 
the  first  line  of  defense  requires  costYeffective  selection  of  available  and 
emerging  technologies  for  (I)  host  processors  including  mainframes  and 
distributed  minisf  (2)  user  networks  including  telecommunication  and  LANs/ 
and  (3)  intelligent  terminals  including  word  processors  and  personal 
computers. 
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C.       LAYERED  TECHNOLOGY  IS  THE  CORE  DEFENSE 


''carefully  selecting  multiple  and  independentte^hi^logi/s  available  for.host, 
including  mainframe  and  distributed  processors^user  nelN»torl<^ncluding 
telecommunications  and  Local  Area  Networks  (LANswand  intelTigerrl 


terminalsvyncluding  word  processors  and  personal  computers!  ta[  the  first  line 

< — ^ —   ~-  ■ —   — <u^-^~^  * 

of  defense  for  protecting  the  corporate  information  systems  and  software 

investment^l5 

Security  options  available  at  host  processors  include  operating  system  add-on 

security  monitor/dselectively  available  secure  operating  system  kernelsff  \ 

G^plying  formal  structure  design  methodologies  and  structured  programming 

to  in-house  and  contractor-developed  softwar^and  the  application  of  secure 

change  controlJncluding  checking  for  clearing  main  and  scratch  pad  memory, 
r 

trap-doors,  and  trojan  horses. 


Encryption,  both  private  and  public  key^authentication,  including  user,  host,  A/vt^ 
tap-proof  fiber  optic  LAN^^and  mult,r^ne  telephone  access  controllers  are 
technologies  available  to  protect  user  networks  at  selected  levels  of 
cost/ effective  security. 

A 

Protecting  corporate  information  systems  and  software  contained  in 
intelligent  terminals  in  the  user  environment  represents  the  most  rapidly 
growing  area  of  vulnerability.  Available  technologies  include  secure 
microprocessors  (Intel  iAPX286),  secure  software  microdisks  (PROLOK), 
terminal  identifiers,  and  microprocessop-encapsulated^ctive  (smart)  plastic 
cards.  ^ 
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III       PEOPLE,  THE  KEY  TO  THE  SYSTEM  AND  SOFTWARE  SECURITY 


A.       SECURITY,  A  TOP  MANAGEMENT  RESPONSIBILITY 


as  sh< 


Of  the  26  possible  threats  to  corporate  information  systems  as  shown  in 
Exhibit  lll-i,  nearly  70%  are  countered  by  good  operational  practices,  physical 
security,  and  personnel— all  of  which  are  the  responsibility  of  top 
management. 

The  Information  Systems  (IS)  manager,  chief  of  the  vault  where  valuable 
electronic  resources  are  stored,  has  responsibility  for  defending  against 
'mereqair^  threats  to  the  core  of  the  corporate  information  system. 


Experience  has  shown  that  the  major  vulnerability  is  within  the  organization, 
often  with  trusted  employees  who  know  b©4^how  the  company  and  the 
information  system  workf. 

Top  management  involvement  is  a  top  priority  requirement  when  establishing 
a  baseline  for  information  security.  Corporate  policy)!^  joint  effort  between 
the  chief  administrative  office,  the  security  director-vond  the  IS  director,  Ka. 
should  be  promulgated  by  the  chief  executive  officeC  Policy  with  respect  to 
personnel  should  include:  'i.  ..     ^  / 


^14^1 


Organization  policy,  including'^1+»e  placement  within  the  organization, 
1+ie  responsibilities,  and  H^auihoniy  of  the  secui  ily  dir'6<L-Ton — ^ 
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Hiring  practice^ncluding  interview  and  thorough  background  checking 
for  all  personnel^nduding  rganagers  that  are  involved  with  developing 
and  using  corporate  information  systenns  and  software.  >UyU  y^oi  be.  e>t 

r  ^ 

Termination  practices,  including  filing  for  cause,  security  debriefing', 
and  termination  interviews.  'I 

^  cfode  of  conduct,  including  security  review^,  conflict  of  interest,  non- 
disclosure,  and  sanctions. 

Development,  communication,  and  implementation  of  corporate  security 
policies  is  analyzed  in  tW*  following  sections  of  this  chapter. 


B.       A  WELL-PLACED  SECURITY  DIRECTOR 


Each  new  generation  of  computer  technology  gives  birth  to  new  professional 
positions.  The  computer  security  expert  ke^evolved  along  with  third- 
generation  technolojgy  (i.e.,  IBM  360,  DEC  VAX)  sometime  between  1968  and 
1972.  The  -diili  ibulioH  of  computer  power,  tnoludiRg  personal  computers  in 
the  end-user  environment,  is  rapidly  ia^^^waJhe  importance  of  information 
system  securityto  corporatG  well  boingi  C  fx^^^^^^^^^^y-^Vv^^^^^ 


The  functions  of  a  well-administered  security  program  are: 

Avoidance  of  loss  through  risk  removal  (such  as  background 
investigation  prior  to  hiring^ 


Deterrence  of  financial  toword  through  suoh  thingo  ayseparation  of 
duties  and  security  briefings. 
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Prevention,  such  as  with  use  of  physical-access  control  devices  (e.g., 


^^^j^^-activated  turnstiles  and  doors). 
Detection  through  the  use  of  auditing. 


Recovery  through  disaster  recovery  services,  insurance,  and  legal 
proceedings. 

Correction  through  security  review  and  software  change  control 
procedures. 

A  nnust  for  a  successful  corporate  security  program  is  the  selection  and 
strategic  placennent  of  a  well-qualified  infornnation  system  security  director. 

At  the  minimum  the  security  director  must  report  directly  to  the  top  IS 
executive,  or  more  ideally  to  the  corporate  executive  responsible  for  overall 
corporate  security,  (with  a  close  interface  to  the  IS  director). 

Information  security  directors  should  have  both  an  understanding  of  the 
information  system  and  of  the  business  in  general.  A  senior  information 
system  analyst/programmer  having  prior  experience  in  a  major  operating 
department  is  a  preferred  candidate. 


Managing  Information  system  security  successfully  requires  experience  in  and 

IdJ 


understanding  of  the  interpld^  among  systems  development,  audit,  users, 

i 

th6  ei 


senior  management^nd  information  systems  operations. 

The  security  director  serves  as  laison  between  senior  management  and  th^  end 

h 

users.  However,  the  director's  first  loyalty  is  to  senior  management.  Close 
working  relationship^with  IS  and  Audit  are  essential. 

A 

• 

Information  security  should  be  the  security  director's  sole  responsiblity. 
Information  security,  including  disaster  recovery,  needs  full-time  attention. 
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o        To  be  successful  a  security  director  must  be  supported  by  top  corporate 
management. 

C.       PEOPLE^SECURITY  FACTORS 

 A  

o        Operating  in  an  information  environment  where  the  number  of  users  having 
'  access  to  corporate  information  is  rapidly  rising,  personnel  security  factors 
are  likely^the  most  cost-effective  alternative  to  controlling  system  and 
software  security.  The  following  factors  are  considered  baseline  with  respect 
to  reducing  people-related  risk  to  an  operationally  acceptable  level: 

I.       BACKGROUND  INVESTIGATION 

o  As  a  major  method  of  avoidance,  background  investig^ions  are  worthwhile  for 
new  employees,  contractor  personnel,  vendor  personnel,  consultants,  and  on  a 
periodic  basis  for  anyone/in  a  position  of  trust. 

o        To  avoid  possible  legal  (or  other,  such  as  union)  problems,  authorization  for 
background  investigations  should  be  obtained  as  part  of  the  employment 
application  or  vendor  contractual  agreement. 

o        Background  investigations  are  usually  performed  by  an  outside  agency,  such  as 
Equifax.  Equifax,  a  company  specializing  in  insurance/credit  investigation, 
interviews  employers,  ^o^workers,  neighbors,  and  researches  public  records. 
Equifax  charges  $20-$  1 00/person. 

o        Items  for  verification  are  education,  prior  work  experience,  criminal 

convictions  (if  any),  opinions  of  qualified  people  who  know  the  candidate,  and 
employer  performance  reports. 
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Under  most  circumstances  full  disclosure  of  the  findings  to  the  prospective 
employee  (with  an  opportunity  for  rebuttal)  is  recommended  policy. 

T 

EMP^LOYEE  HIRING  PROCEDURES 


^e^m  /lirmA  a/n  employee; 

enlp.' 


-ypen  an  erriployoc'j  cicnj-ptanooy^an  agreement  of  confidentiality,  a  patent 
agreement,  and  an  acknowledgement  of  a  professional  code  of  conduct  should 
be  executed. 


An  initial  briefing  on  security  should  be  scheduled  soon  after  the  candidate  is 
hired. 


CORPORATE  INFORMATION  SECURITY  POLICY 


The  corporate  information  security  policy  should  establish  goals,  objectives, 
requirements,  and  responsibilities  promulgated  by  the  CEO. 

A  visible  and  enforceable  information  security  policy  indicates  a  top-to- 
bottom  commitment  to  security  and  represents  a  primary  form  of  security 
deterrence. 


To  be  effective,  security  policy  must  be  kept  current. 


EMPLOYEE  EDUCATION 


Perhaps  no  other  factor  has  greater  cost-effectiveness  than  small  and 
frequent  security  briefings  to  all  levels  of  the  corporate  organization.  Typical 
of  educational  policies  is  that  of  Chevron  Oil  Company: 

As  part  of  its  consciousness-raising  effort.  Chevron  conducts  a  series 

of  two-hour  presentations  and  demonstrations  that  familiarize  top 
...  ..    .  ToR/cs  i'vcbetfi' 

managers  with  security  i ssue^Fong mg-LLom^rsona I  computers, 

tl*row^^ime\haring,  t^data  base  access,  K^ainframes. 
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The  seminars  are  presented  to  small  groups  of  between  six  and  eight 
executives. 

A 

5.       SECURITY  PERFORMANCE  EVALU^ION 

o        A  security  performance  evalLj|ion  should  b^explicitly  included  as  part  of  job 
performance  and  merit  increase  review^       review  includes  managers' 
assessment  of  employee  support  and  of  adherence  to  corporate  security 
policies. 


Suggestions  from  employees  and  other  interested  parties  should  be  solicited, 
reviewed  with  the  security  director,  and  acted  upon. 


6.       CODE  OF  CONDUCT 


o        A  code  of  conduct  for  all  employees,  contractors,  and  consultants  covers  rules 
of  behavior  to  protect  the  organization  from  potential  losses. 

o        A  code  of  conduct  should  be  explicit  in  describing  sanctions  that  will  be 
applied  in  response  to  code  violations. 

o        The  code  should  be  reviewed  periodically,  such  as  at  security  briefings  or  at 
performance  reviews. 

o         It  is  advisable  to  have  employees  (etc.)  acknowledge  the  code  by  signing  it. 

o        A  typical  code  of  conduct  for  information  processing  is  shown  in  Exhibit  1 11-2. 


7.       SEPARATION  OF  DUTIES 

o     ^  Buties  should  be  assigned  to  cmployeea  in  pesitioriA  of  trusr  with  security  in 
mind.  Duties  should  be  separated  to  minimize  the  lone  employee's  ability  to 
engage  in  criminal  activity  without  detection. 
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There  should  be  multiple  control,  whereby  one  person  initiates  the  task, 
another  verifies  correctness,  and  a  third  is  held  accountable  for  the  total 
task.  This  is  a  useful  method  where  highly  sensitive  information  is  involved. 

Job  rotation  is  another  means  of  stopping  and  uncovering  ongoing  fraud. 

Mandatory  vacation  policies  can  be  used  to  interrupt  continuity  and  to  expose 
ongoing  fraud. 


Terminlifation  for  cause  requires  immediate  removal  of  the  employee  from  a 
position  of  trust. 

Terminated  employees  should  receive  a  debriefing  with  explicit  explanation  of 
ex-employee  responsibilities,  such  as  maintaining  confidentiality  of  trade 
secret^and  other  competitive  information.  A  terminating  agreement  should  be 
signed  and  executed. 

A  security  director  should  ensure  that  material  such  as  access  cards  and 
software  documents  are  returned,  and  that  necessary  computer  access 
passwords  and  secret  keys  are  changed. 


TERMINATION  PROCEDURES 
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IV      ESTABLISHING  A  SOFTWARE  SECURITY  METHODOLOGY 


A.       SOFTWARE  SECURITY  ADMINISTRATION 


1.  SOFTWARE  DESIGN  AND  DEVELOPMENT 

o        Security  aspects  for  design  and  development  of  aeoure  software  are  covered  in 
detail  in  Chapter  V,  Designing  for  Secure  Software. 

2.  DOCUMENTATION  CONTROL 

o        Secure  software  administration  requires  that  software  documentation  and 
control  be  established  as  the  separate  responsibility  of  a  software  librarian. 
The  librarian  is  responsible  for  maintaining  the  software  library  in  paper  and 
magnetic  form  in  source  language,  for  logging  copies  in  and  out,  and  for 
duplicating  software  documentation  in  any  form. 

o         It  is  essential  that  obsolete  or  duplicate  text  and  other  paper  documentation 
of  critical  programs  be  shredded  to  avoid  scavenging. 

o        Terminated  employees  should  be  required  to  check  out  with  the  software 
librarian  for  clearance  as  part  of  the  termination  procedure. 
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3.  FIRE  PROTECTION 

o        The  software  library  is  best  protected  from  fire  through  the  use  of  a  halon 

fire  control  system.  Because,  its  chemistry,  halon  poses  the  least  threat  to 

A 

people,  magnetic  medic,  and  paper. 

4.  DISASTER  RECOVERY 

o        Software  recovery  procedures  are  a  critical  part  of  any  disaster  recovery 
plan.  Two  backup  copies  of  the  complete  software  library  are  required  and 
should  be  stored  ^rfcfcN^ at  separate  locations.  In  the  event  of  disaster,  a 
backup  set  of  the  complete  software  will  still  exist  while  one  set  is  being  used 
to  restart  system  operations. 


5.  LEGAL 


T 

A  further  level  of  security  can  be  obtained  by  encrypting/ the  software  library 
prior  to  transmission  or  delivery,  to  off -site  locations. 

D 


o        Legal  aspects  of  software  protection  include  patents,  copyrights,  and  "trade 
secrets." 

o        Establishing  patent  rights  to  software  is  extremely  difficult.  Copywriting  a 
program,  whether  by  statieftafy  or  common  law,  offers  a  degree  of  protection 
that  has  in  some  notable  instances  been  successfully  enforced,  but 
(particularly  in  the  microprocessing  software  area)  has  been  largely  avoided. 

o  /I   ^iewed  by  many  as  ^  best  alternative  form  of  legal  protection  io  that  givon  to ' 
"trade  secret^  through  tort-<aw3  Courts  have  applied  a  reasonably  standard 
set  of  tests  to  determine  the  legality  of  trade  secrets  and  whether  the  trade 
secret  has  been  used  in  an  unfair  or  improper  way. 
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6.  INSURANCE 

"jIL  sleeping  giant,"  insurance  is  expected  to  have  a  positive  effect  on  the 
security  problenn.  Insurance  requirements  condi^iens-for  insurabilit/^romote 
formalization  and  standardization  of  security  methodologies  and  increase  top 
management  awareness  of  information  system  security  at  all  organizational 
levels. 


B.       OPERATIONAL  SOFTWARE  SECURITY  OPTIONS 


)it  IV- 1  / 


o        Each  of  the  operational  software  security  options  shown  in  Exhibi 

independently  offers  a  level  of  security  protection.  The  greatest  level  of 
security  is  obtained,  as  will  be  discussed  below,  by  layering  multiple  options  to 
make  the  cost  of  penetration  prohibitiv^o  II m  piutjpeclive-attqclcer.^ 

I.  PASSWORDS 

o        Passwords  are  perhaps  the  lowest  form  of  security  protection  from 

unauthorized  access  or  modification  of  corporate  information  software. 

o        Password  capability  is  provided  by  virtually  all  operating  systems. 

o        Passwords  can  be  user  created^r  (pyiyerably)  security  system  assigned.  A 
secure  means  of  mapping  the  user  to  the  assigned  password  is  essential. 

o        Encrypting  the  password  resident  in  operating  system  tables  adds  a  level  of 
security  without  sacrificing  operating  efficiency. 

o        Passwords  should  be  changed  frequently  and  at  irregular  intervals. 

o        Passwords  are  easily  determined  by  a  determined  hacker. 
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TERMINAL  IDENTIFIER 


Selective  terminals  have  the  ability  to  be  uniquely  (a  high  probability) 
identifed  as  eif^Tnput-output  resource*,  either  in  the  direct  access  or  dial-in 
mode. 

Some  terminals  have  the  capability  of  rooching  magnetic  stripe  cards 
containing  user  IDs  to  identify  the  user  at  a  particular  terminal  as  having  the 
right  to  access  or  modify  corporate  information  software. 

A  password  is  an  identifier  (preferably  fe^system  generated  and  assigned) 
giving  rightist  access  to  system  resources.  A  password  is  usually  (but  not 
necessarily)  assigned  to  one  use.  A  personal  ID  is  a  secret  value  that^nown 
only  to  the  user  and  separately  supplied  to  the  security  monitor  that  uniquely 
identifies  a  user. 

Passwords,  personal  IDs,  and  terminal  identifiers  can  be  combined  to  add 
another  level  of  operational  software  security. 

SECURITY  MONITORS 

y 

Another  dimension  of  operational  software  security  can  be  obtained  hy  using  a 
security  monitor  on  top  of  existing  operating  systems.  Securw^  monitors  are 
software  packages  that  reduce  the  frequency  of  un^juthorized  access  or 
improper  use  of  corporate  information  system  resources. 

Some  of  the  more  popular  security  software  packages  for  IBM-compatible 
mainfram^are  shown  In  Exhibit  IV-2.  Security  monitors  differ  in  function,  for 
example:  , 

Alert  and  gecure^are  targeted  for  protecting^unquthorized  access  from 
the  interactive  terminal  or  CICS  environment. 
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ACF  2  and^p  |(ecret  offer  great  flexibility  in  discretionary  access 
policy,  whereas  RCAF  implennents  an  inflexible  and  mandatory  security 
policy. 


Only  ACF2  and  secure  have  versions  compatible  with  the  VM  operating 


Top  secret  and  alert  are  the  only  packages  that  do  not  require  changes 


to  the  operating  system  upon  installation. 

Security  monitors  require  a  security  administrator  to  map  the  relationship 
between  users  and  resources.  The  matrix  is  then  stored  (often  encrypted)  in  a 
protected  area  of  the  security  monitor. 

Security  monitors  attempt  to  solve  deficiencies  in  operating  systems  that 
have  not  been  designed  with  security  in  mind.  As  such^^curity  monitors  are 
vulnerable  to  a  determined  hacker.  / 

Discussion  of  the  design  of  secure  operating  system  software  is  presented  in 
Chapter  V,  Designing  for  Secure  Software. 

Advanced  security  monitors  provide  for  the  capability  of  implementing 
security  policies  that  are  discretionary,  mandatory,  or  a  combination  of  both. 

Discretionary  policy  allows  a  specific  user  or  process  to  create  objects 
(i.e.,  files)  and  then  specify  who  has  access  to  them. 

Mandatory  security  policy  establishes  a  hierarchy  of  security 
classifications  as  a  basis  for  determining  access. 

Effective  security  monitors  are  easy  to  install  (i.e.,  require  few  if  any 
operating  system  modification),  are  efficient  (i.e.,  low  system  overhead),  are 


system. 
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on-line  and  flexible  with  respect  to  the  security  administrator,  and  are 

capable  of  mapping  terminals^  and  users.system  resources  (i.e.,  processors  and 

n 

peripherals)  and  objects,  including  software,  data  bases,  files,  records,  and 
data. 


Security  can  be  increased  by  providing  both  software  memory  protection  (i.e., 
insuring  that  processes  are  limited  to  a  memory  segment)  and  execution 
domains  (a  hierarchy  of  executable  system  processes).  These  functions  are 
more  efficiently  implementable  in  hardwarey^See  Chapter  VI,  The 
Microcomputer  and  Software  Security.) 

Security  monitors  vary,  as  shown  in  Exhibit  IV- 1,  in  their  ability  to  interface 
with  operating  systems,  protect  local  and  dial-in  data  communication 
subsystems,  control  system  software  functions,  and  provide  levels  of  password 
support. 

Security  monitors  are  generally  good  at  providing  audit  trails.  Audit 
capability  includes: 

System  access. 


Access  Attempts. 
Resource  use. 
Security  violations. 


Interrelationship  between  users  and  resources. 


On-line  monitoring  of  suspected  violators. 

Y 

Effective  security  monitors  disconnect  both  unattended  mtondcd-^erminals 
(after  a  preselected  or  ffuiii  time  le-44fyte  varied  times)  and  users  who  make 
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repeated  (i.e,  more  than  two)  unsuccessful  attennpts  to  access  the  system 
from  the  same  terminal. 


ENCRYPTION 

hJ^e 


Encryption  is  an  heiiy  effective  way  to  protect  system  and  software  from 
active  intrusion. 

Encryption  is  particularly  effective  in  cases  of  remote  access,  program 
transmission,  downloading,  program  library,  and  outside  program  storage. 

There  are  currently  some  major  drawbacks  to  the  widespread  use  of 
encryption  for  commercial  systems. 


Encryption  systems  tend  to  be  expensive. 


Encryption  tends  to  degrade  system  performance. 

Secret  key  generation  and  distribution  need  careful  administrative 
attention. 


Encryption  can  be  accomplished  through  software  products,  through  security 
modules  including  specialized  micro  chips,  and  through  completely  automated 
electronic  systems  that  include  key  management. 

T 

The  most  widely  used  single  key  encryption  system  uses  as  an  algorithm/ the 
Digital  Encryption  Standard  (DES)  promulgated  by  the  National  Bureau  of 
Standardj(NBS).  The  64-bit  key  (56  dai^p  us  8  paritypits)  ensures  that  the 
current  cost  of  key  discovery  is  prohibitive.  iji 

By  using  multiple  encryption,  4  master  and  subset  key  management  systems 
thc^permit  secure  transfer  through  multilevel  nodes  within  corporate 
information  systems.  A  major  problem  is  the  complexity  of  key  generation. 
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distribution,  and  managennent. 


Another  method  of  public-key  encryption  utilizes  two  keys  related  by  a  one- 
way function.  This  nnethod  permits  one  key  to  be  published  to  all  interested 
parties.  The  key  management  problem  is  significar|i|jy  reduced,  but  there  are, 
at  the  present  time,  greatly  increased  computational  requirements  to  encrypt 
the  information  for  transmission,  storage,  etc.  INPUT  expects  that  within 
two  years  ^effective  electronic  solution  will  be  forthcoming. 

TELEPHONE  ACCESS  CONTROLLERS 

Telephone  access  controllers  interpose  between  remote  dial-up  terminals  and 
the  host  computer  dial  access  ports,  as  shown  in  Exhibit  lV-3,  The  controllers 

AU 

do  not  wait  for  an  urjjhorized  user  to  gain  computer  access  before  enacting 
counten^easures.  Access  is  denied  to  the  computer  if  a  user  does  not  dial 
from  a  previously  authorized  location  or  does  not  enter  the  correct  access 
code. 


Access  controllers  operate  in  an  analog  mode.  The  controller  does  not 
acknowledge  that  it  is  being  accessed.  The  user  keys  in  a  valid  locatio 
identification  number  (LIN).  The  access  controller  then  answers  with  an 
acknowlegement  tone  or  message  and  both  the  user  and  the  unit  disconnect. 

Within  approximately  15-20  seconds  the  controller  calls  a  preselected 
telephone  number  and  interconnects  the  terminal  at  that  number  with  the 
computer  modem,  permitting  the  user  to  initiate  the  sign-on  procedure. 

Typical  controllers  handle  32-64  incoming  lines,  and  include  additional 
features,  such  as  hard  copy  audit  trail  and  time-dependent  callback 
programming. 

Since  the  initial  interface  to  the  dial-up  terminal  is  analog,  the  telephone 
access  controllers  are  relatively  secure  from  external  attack. 
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Some  controllers  track  and  audit  each  rennote  interconnection  from  terminal 
modem  to  computer  modem,  thus  ensuring  that  a  valid  sign-on  has  been 
accomplished. 

Mos^ontrollers  have  the  ability  to  handle -be+n  up  to  four  simultaneous  calls 
and^ueuing  of  28  others. 

It  is  possible  to  use  a  telephone  access  controller  in  conjunction  with  the 
encryption  equipment  shown  in  Exhibit  IV-2  to  provide  an  even  higher  level  of 
computer  software  security.  Telephone  access  controllers  are  usually 
programmmed  through  a  dedicated  terminal.  Some  can  also  be  programmed 
through  a  remote  terminal,  where  the  remote  terminal  is  protected  from 
unauthorized  access  by  a  single  access  controller  having  a  preprogrammed 
callback  procedure. 

SMART  CARDS 

A  smart  card  consists  of  a  plastic  card  in  which  is  embedded  a  customized 
chip  comprising: 

A  microprocessor  with  interfaces  for  memories  and  communication 
with  the  outside  world. 

Scratch  pad  memory  (random  access). 

A  program  memory  (read  only). 

A  "user  memory"  (programmable  read-only  memory). 

There  is  no  internal  power  source.  The  micro^pp^essor  is  passive  until  the 
card  is  inserted  into  a  terminal. 
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The  user  memory  is  under  exclusive  control  of  the  micro-program  in  the  read- 
only memory.  During  the  last  stage  of  manufacturing  process  the  user 
memory  is  divided  into  areas  with  different  rights  of  access  as  shown  in 
Exhibit  IV-4.  I 


After  initializatkn  Jhe  contentslfhe  secret  area  cannot  be  accessed 
externally.  Informaflon  stored  in  the  secret  area  is  accessible  for  internal  use 


only.  The  secret  area  is  used  to  store  authentication  codes  of  the  card  issuer, 
a  personal  card  holder  identification  code,  and  encryption  keys. 

Access  to  the  confidential  area  is  protected  by  the  secret  codes  of  the  card 
issuer  and  the  cord  holder. 

No  restrictions  exist  in  accessing  the  open  memory. 

The  user  will  insert  the  card  in  the  terminal  and  enter  the  password  (personal 
identification  number),  which  will  be  stored  in  encrypted  form  in  the 
confidential  memory.  If  one  utilizes  a  one-way  algorithm  (involving  keys 
stored  in  the  secret  memory  and  the  user's  identification  number)  and 
transmits  the  result  encrypted  between  the  terminal  and  the  host  system,  it 
can  be  determined  that: 

The  cord  is  valid. 

The  user  is  properly  identified  (with  high  probability). 

The  user  is  connected  to  a  valid  host  processor. 

A  further  level  of  security  can  be  achieved  by  adding  an  electronic  signature 
consisting  of  a  sequence  number  (including  a  date-time  group)  in  the 
transmitted  information,  thus  encrypting  the  information  utilizing  the  secret 
authentication  key. 
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The  technology  makes  falsification  very  difficult.  Fraud  requires  an  advanced 


/fai 


chip  manufacturing  facility/ and  possession  of  propritary  information  from  the 

'I 

chip  manufacturer,  the  card  manufacturer,  and  the  card  issuer. 


OTHER  TECHNOLOGY 

The  other  technology  under  development  promises  to  tie  user  identification  to 
unchanging  personal  characteristics.  Technologies  wW^^ that  strengthen'!^ 
identification  process  are: 

Fingerprints:  matching  stored  information  with  active  finger 
impressions  using  holography. 

Hand  Geometry:  matching  stored  information  about  palm  lines  using 
holography. 

Signatures:  matching  stored  digitized  patterns  of  signatures  with 
dynamic  analysis  of  handwriting. 

Voice  prints:  matching  digitized  information  with  digitized  sound 
waves^of  active  apeaking.— 

These  technologies  have  been  reviewed  in  INPUT  report  shown  in  Appendix 
[fluted  INPtJT-Reporhsr-^  ^ 

Although  promising,  none  of  the  above  technologies  is  yet  sufficiently  reliable 
or  economically  viable. 
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V       DESIGNING  FOR  SECURE  SOFTWARE 


A.       SYSTEMS  SOFTWARE 


I.       OPERATING  SYSTEMS,  THE  KEY  TO  INFORMATION  SECURITY 

o        To  date,^est  approach  for  designing  secure  operating  systems  is  the  security 
kernel  concept. 

o        A  smaller,  less  complex,  and  more  easily  verifiable  security  module  is  possible 
by  separating  the  security-relevent  functions  of  the  operating  system  into  a 
kernel. 

o        The  security  kernel  is  a  reference  monitor  that  checks  the  legality  of  every 
reference  between  user  (subject)  and  resource  (object).  Included  are 
programs,  files,  terminals,  printers,  etc. 

o        The  security  kernel  mediates  every  access  to  protected  resources.  By 
isolating  the  security  kernel  from  the  rest  of  the  operating  system,  the 
module  can  be  more  effectively  protected  from  users  and  system 
programmers. 

o        The  greatest  difficulty  has  been^verifying  that  security  kernels  operate  and 
that  they  implement  security  policy  correctly. 
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Security  kernels  implement  discretionary  or  mandatory  (or  a  combination  of 

both)  security  policies.  Discretionary  policy  allows  the  user  or  security 

officer  to  specify  objects  and  who  has  access  to  them.  As  shown  in  Exhibit  V- 

Miscretionary  policy  is  implemented  as  either  a  security  matrix  or  as  an 
7 

access/control  list  that  is  related  to  each  protected  object.  Accounting 

personnel  can  only  read  information  in  File  B^hereas  user  3  (department 

r 

head)  can  either  read  from  or  write  into  File  B. 


As  implemented  by  the  security  officer,  mandatory  security  policy  establishes 
several  classifications  (such  as  "secret"  or  "confidential")  of  the  user's  level  of 
clearance  and  of  the  resources  (object).  Security  may,  further  subdivide 
categories  of  both  on  the  basis  of  "need  to  know."  \q 

Memory  protection  (that  is,  preventing  one  process  from  changing  another)  is 
an  architectural  key  for  system  software  security.  The  efficiency  of  memory 
protection  (and  of  a  secure  operating  system)  is  directly  related  to  hardware 
features  that  permit  dividing  a  virtual  memory  into  segments  that  are 

e 

accessible  through  4fscriptors.  As  shown  in  Exhibit  V-2,  another  layer  of 
information  system  security  is  provided  through  the  implementation  of 
"execution  domains"  in  software,  hardware,  or  firmware.  Again,  secure 
system  performance  is  highly  dependent  on  hardware  features,  with  three 
domains  essential  for  efficient  operation. 


The  most  privileged  is  the  security  kern 


I 


security  mechanism.  ef  1'^      l  aO^''''^''^    'l  Ker"^') 

-  3^^"^  J  $e^l^"'^lu,p    i^'^^'Z  ^Afld 

Softwar^uch  cjsilser  identification,  authi   re}^^      l^ulH  ^       co^^^^^  ' 
audltingfithat  isjclosely  related  to  the  sec/'^jsp/  ^'^^SUe.  f^^^'^ 
verif  iec^nd  if  possible  proven  ew^a  correct  »  ' '  ^ 

either  its  own  domain^rTuToTtFiree^domaTrr  .  ;M 

operating-system  domain.  fjr>'b      ,  y^^Aof^^''^ 




Execution  domains  restrict  the  access  of  programs  in    0^''^,        ■  ^ 
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to  a  few  well-defined  interfaces  with  more  privileged  domains. 


The  security  monitors  shown  in  Exhibit  iV-2  provide  discretionary  security  as 
an  add-on  feature  to  IBM  mainframe  operating  systems.  Secure  operating 
system  implementations  on  most  current  mainframe  architectures  have 
proved  too  inefficient  for  commercial  use.  Supporfw*^  by  both  memory 
protection  and  executive  domain  hardware,  the  SCOMP  operating  system, 
running  on  Honeywell's  level  6/DPS6  system,  is  perhaps  an  exception. 

Secure  versions  of  UNIX  implemented  on  minicomputers  and  microprocessors 
are  expected  within  the  next  year.  (See  Chapter  VI,  The  Microcomputer 
Software  Security,  for  discussion  of  the  Intel /APX286). 


DATA  BASE  MANAGEMENT  SYSTEMS,  A  PROBLEM  AREA 

Data  base  management  systems  (DBMSs)  allow  many  people  to  have  access  to 
different  types  of  data,  most  frequently  in  a  "user  friendly"  manner.  Whereas 
security  monitors  w|jj|h  operating  systems  control  access  to  the  file  and  record 
(program)  ievel^BMS  systems  can  add  information  system  security  down  to 


The  data  base  administrator  (security  officer)  to  defines  access  and  use  of  all 
but  local  user  data. 

Two  approaches  to  security  access  are  utilized  by  DBMSs:  explicit  and 
constrained.  In  explicit  systems  only  defined  user/data  set  relationships  are 
effective;  users  can  have  access  to  all  other  resources. 

In  constrain  systems,  unless^the  data  base  administrator  authorizes  an 
individual  (program)  togDOTf^riri  an  operation,  no  one  but  the  administrator 
(super  user)  can  access  or  manipulate  the  information.  Care  must  be  taken 
with  constrained  systems  such  that  security  does  not  become  a  bottleneck  to 
efficient  DBMS  use. 


the  data  level. 
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o        Access  to  DMBS  resources  may  be  enforced  through  either  a  set  of  flexible 
authorization  rules  or  through  more  formal  data  classification  schemes. 
Authorization  rules  that  control  user  access  can  be: 

User  specific. 

Time  specific. 

Logical  subsets  of  rows  or  columns. 

Specific  DBMS  operations.  . 

o        Query  languages  (powerful  tools  for  retrieving,  appending,  replacing,  deleting, 
and  aggregating  DBMS  information)  are  frequently  used  for  defining  and 
enforcing  authorization  rules.  For  example  and  as  shown  in  Exhibit  V-3,  the 
query  system  arbitrates  each  request,  filtering  through  such  portions  as  are 
authorized  for  access  and  response,  thereby  denying  the  user  knowledge  of 
protected  information. 

o        Although  some  constraints  (such  as  references  to  single  records)  are  possible, 
security  with  respect  to  statistical  data  bases  remains  a  significant  problem. 
Clever  computer  hackers  can  successfully  extract  valuable  information 
(programs)  through  successive  queries  that  form  em^^alid  authorizations. 

o        The  basic  objective  of  security  with  respect  to  DBMSs  is  the  achievement  of  a 
high  level  of  security  without  compromising  system  performance  or  user 
friendliness.  * 


B.       APPLICATIONS  SOFTWARE 
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Development  of  secure  application  software  uses  most  of  the  software 
engineering  practices  related  to  a  formal  design  methodology  and  structured 
programming. 


DESIGN 


Development  of  secure  application  software  depends  on  establishing  clear 
interfaces  between  functions  (modules)  and  minimizing  information  transfer 
from  module  to  module. 

A  structured  design  utilizing  a  top-down  hierarchical  approach  is  a  favored 
design  methodology. 


Data  typing  that  relates  data  to  its  related  processes/ (called  "data 
abstraction")  allows  definition  of  smalLself-contained  modules.  Establishing 


the  module's  interface  allows  the  concept  of  encapsulation  (i.e.,  black  box)  or 
"information  hiding"  to  be  used  to  control  access.  Additional  function  can  be 
added  to  the  module  without  affecting  its  security  features. 

The  design  should  carefully  establish  the  least  privilege*^access  to  modules, 
programs,  and  application  to  later  control  program  access  and  change. 

The  auditing  process  must  be  considered  as  integral  to  the  design  process. 

PROGRAMMING 

Structured  programming  techniques  (where  each  module  has  one  entry  point, 
all  paths  within  the  module  are  active,  and  one  exist  point)  greatly  increase 
the  probability  of  succesful  verification  and  increased  security. 

A  level  of  security  can  be  achieved  by  assigning  portions  of  large  programs  to 
separate  programmers. 
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When  the  program  is  completed  those  modules  related  to  control  should  be 
separated  from  procedures  so  that  following  validation  the  entire  program, 
at  least  control  modules,  can  be  encrypted. 
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I 


3. 


VALIDATION 


o        Validation  should  be  accomplished  by  a  separate  group. 

o        The  validation  process  should  ensure  that  all  paths  of  each  module  are  active 
and  that  any  "trapdoors"  used  for  debugging  during  development  are  removed. 

o        Unusual  ranges  and  combinations  of  input  data  are  useful  for  uncovering 
results  not  specified  as  output. 

o        Checks  should  be  made  that  the  program  erases  scratch  pad  memory  and 
auxiliary  storage  as  the  last  process  before  termination. 


jve  techniques  reduce  the  probability  of  "trojan  horse"  ottacks^hereby 

■^nr-y-^nnng^  Vi'itK  in'?^!i"n  "T  i'^*i-iif>ti""S_L'i  ^nnrlo    s^lenr^^  imrfar  rnlnot         TrUX.\^    VnVUft  Jtf/^ 


The  above 

gj^mpe'rary  cbongd  witK  inoer  liutl  oT  iiwtructioQS^Ls  mnde,  whirtr,  under  coloct  "Vxa-^^  j^y^ 
conditions,  execute^ during  production  time,  breaching  software  or  data 


security. 

o        The  validation  process  should  ensure  that  audit  trails  are  operational  and 
effective. 

4.  MAINTENANCE 

o        All  changes  to  operational  programs  should  go  through  formal  change  control 
procedures,  whereby  changes  are  made  at  regular  intervals,  are  done  on  a 
controller  basis,  and  are  properly  reviewed. 

o        Periodically  the  production  program  should  be  compared  with  the  master  to 
ensure  that  the  production  copy  exactly  matches. 

o  Software  that  translates  known  object „code  back  to  source  (decompilerl)  or 
assembly  (disassemblers)  language  and.flow  charting  of  utility  programs -en 
help  tismaintain  application  software  security  by  ensuring  that  the  object ^ode 
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do  not  contain  trapdoors  or  trojan  horses. 
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THE  MICROCOMPUTER  AND  SOFTWARE  SECURITY 


Intelligent  terminals  (in  the  form  of  workstations,  word  processors,  and 
personal  computers)  (both  standalone  and  in  local  area  networks||)  add  a  whole 
new  dimension  to  the  problem  of  corporate  Information  system  and  software 
security. 


Technological  information  processing  innovations  addition  may  well  be 
outpacing  technical  solutions  to  the  corporate  security  problem.  In  the  final 
analysis,  security  strategies  with  respect  to  people  may  form  the  major 
bulwark  in  protecting  the  corporate  investment  in  information  systems/and 
software. 


It  is  clear  that  management  must  establish  policy  with  respect  to  the 
procurement  of,  responsibility  for,  and  use  of  office  automation  equipment 
before  the  problem  gets  out  of  hand.  Limiting  the  type  and  variety  of 
equipment  and  storage  media  is  certainly  in  order. 


A  vigorous  education  program  (including  frequent  small  classes,  briefings,  and 
risk  assessments)  mid  that  is  targeted  to  heighten  awareness  is  likely  the  most 
cost-£eVfective  strategy  for  maintaining  security  in  the  microcomputer/office 
automation  environment. 


MANAGEMENT 
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As  more  corporte  strategic  information  is  developed  on  magnetic  media  in  the 
A 

user  environment,  management  will  be  forced  to  give  greater  attention  to 
security  issues,  for  example: 


Acquisition  strategies  (that  have  been  developed  in  draft  form  on  word 
processors  and  then  routed  through  LAN's  to  executives)/  could 
theoretically  be  intercepted  by  anyone  with  access  to  the  LAN. 

Corporate  investment  strategies  that  were  reproduced  by  the  chief 
financial  officer's  executive  secretary  and  now  reside  on  a  personal 
computer  flexible  disk  can  be  used  by  anyone  with  a  compatible 
system. 


primary  responsibility  for  that  portion  otthe  corporate  information  system 
(including  hardware,  software,  and  data)  under  the  user's  direct  control. 

^ 

Alternatively,  management  must  provide  users  with  appropriate  technical 
safeguards  as  outline  below. 


Distributed  processing  offers  managers  and  staff  the  ability  to  use  local 
computer  power  to  better  meet  their  individual  processing  needs.  Although 
hardware  and  software  support  problems  Increase  security  complexity, 
distributed  processing  does  offer  several  advantages: 


Software  and  data  can  be  isolated  to  a  specific  functional  area/ (I.e., 
personnel,  accounts  receivable,  etc.). 


DISTRIBUTED  PROCESSING 
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People  in  that  area  know  each  other  and  can  easily  recognize  intruders. 

Distributed  systenns  require  great  attention  to  the  information  flow  within 
(LANs)  and  between  distributed  processing  nodes.  Technologies  exist,  and  are 
becoming  increasingly  and  more  economically  available,  to  respond  to  both 
active  and  passive  intrusion  into  the  distributed  processing  network. 


ENCRYPTION 


Where  encryption  is  used,  it  is  usually  important  that  the  information  passing 
through  nodes  (between  source  and  destination)  be  protected  from 
unauthorized  access  via  a  node. 


Public  key  encryption  systems  can  easily  be  applied  to  distributed 

processing  but,  at  the  present  time, 'with  a  significant  loss  in  system 

K 

efficiency.  Where  transmission  volume  is  small  (i.e.,  downloading 
software),  a  public  key  system  can  be  highly  effective. 


Private  key  systems  (i.e.,  DES)  can  be  applied  to  distributed  systems 
utilizing  master/multiple-key  management  systems  utilizing  multiple 
encryption  methodologies. 


SIGNATURES 


In  a  distributed  network  it  is  often  necessary  to  identify  not  only  the  source 
(user)  but  also  the  receiver  (host,  node,  etc.).  The  receiver  should  be 
identified  as  well  to^nsure  that  the  information  transmitted  is  valid  and  came 
from  the  identified  source. 


Authenticators  (which  are  one-way  functions  of  secret  information 
)keys*|^one  key  known  only  to  the  user  and  the  other  key  known  only  to 
the  host)  establish  trusted  (with  high  probability)  interconnections. 
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An  information  transmission  identifier  (sequence  number,  date,  and 
time  group)  tinat  is  properly  authenticated  ensures  (with  high 
probability)  that  the  information  transmission  is  from  the  identified 
user. 


FIBER  OPTICS 


The  fiber  optic  medium  is  almost  impossible  to  tap  into.  As  such,  fiber  optics 
are  an  ideal  candidate  for  LANs  and  for  other  networking  applications. 

Fiber  optics  are  becoming  attractive  for  new  buildings  under 
construction. 

r 

Several  Bell  Operating  Companies  (BOC's)  are  developing  fiber  optic 
telecommunication  circuits. 

Fiber  optics  will  become  the  prefer^d  medium  of  transmission 
particularly  for  LANs)  by  the  end  of  the  decade. 


SYSTEM  AND  SOFTWARE  SECURITY 


PHYSICAL 

Personal  computers  and  word  processors  are  tempting  targets  for  theft.  They 
are  even  more  attractive  than  typewriters. 

Depending  on  corporate  policy,  micro  workstations  can  be  secured  through: 
Anchor-pads. 
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Lockable  power  switches. 


Lockable  equipment  enclosures. 

Lockable  space  should  be  provided  to  users  for  storage  of  flexible  disks.  In  a 
sensitive  area  selected  disks  can  be  under  the  control  of  a  designated  librarian 
with  responsibility  for  ensuring  that  they  are  logged  in  and  out  to  the 
appropriate  personnel. 


Early  personal  computer,  word  processing,  and  office  workstation  systems 
were  targeted  for  single-user,  single-program,  and  standalone  use.  As  such, 
little  need  was  seen  for  security  access  control. 

The  current  generation  of  microprocessors  provideifor  multifunction  and  on- 
line  operating  environments.  Technical  solutions  to  security  access  problems 
are  just  beginning  to  appear. 

Vendors  are  offering  firmware  in  the  form  of  an  intelligent  programmable 
circuit  board  extension  to  IBM  PC-compatible^and  other-vendor  PCs.  The 
firmware  provides  access  restriction  through  passwords,  encryption  methods 


for  data  and  software  protection,  audit  trail  of  computer  usage,  and  methods 
for  either  local  or  central  security  control. 

SECURE  MICROPROCESSOR 

Secure  operating  systems  have  long  been  held  as  the  key  to  system  and 
software  security.  All  operating  system  functions  related  to  system  security 
have  been  incorporated  in  what  is  called  a  security  "kernel'A  (See  Chapter  V, 
Designing  For  Secure  Software.) 


ACCESS  CONTROL 
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Support  for  multiple  processors. 

y 

Control  over  a  large,  segmented  «f  virtual  memory. 

A  minimum  of  three  execution  domains. 

Control  of  access  to  input/output  devices. 

The  concept  of  a  secure  microprocessor  information  system  is  shown  in  /  )  1 

Exhibit  VI- 1.  The  ideal  processor  has  four  execution  domains,  the  most  v  ' 

privileged  being  level  zero.  Tfi5~cteflRetns  \l\  effect  prevSrfF  lower  domains  Ml 
from  executing  system  functions  in  higher  domains. 

Intel  Corporation  has  developed  the  iAPX286  chip  with  the  architectural 
feature  outline  above,  which  reduce  by  a  factor  of  eight)^he  overhead  in 
implementing  a  secure  information  system. 

INPUT  expects  that  a  secure  UNIX  microprocessor  operating  system  utilizing 

the  Intel  microprossor  will  begin  appearing  in  intelligent  terminals  within  the 
A 

next  two  years. 


SECURE  DISK  STORAGE 


In  an  effort  to  »r  software  piracy,  the  Association  of  Data 

Processing  Service  Organizations  (ADAPSO)  established  the  technical  I^T^ 
guidelines  shown  in  Exhibit  VI-2.  V ' 

The  most  successful  soluti&n  today  appears  to  come  from  the  Vault 
Corporation  with  its  prolok  disk.  The  process  places  a  special  hardware-like 
"fingerprint"  on  a  currently  conventional  5-1/4-inch,  double-density,  double- 
sided  diskette!.  In  addition  to  the  identifier^the  disk  contains  a  IO,000*byte 
administrative  and  encoding  program  encrypted  by  the  same  process  used  to 
protect  the  software  that  the  user  (vendor)  later  loads. 
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The  program  loaded  onto  the  disk  has  been  encrypted  and  an  additional  3,000 
bytes  that  tie  the  program  to  the  fingerprint  encryption  process  have  been 
added. 

Neither  the  program  nor  the  operating  system  require  modification. 

The  encrypted  program  can  be  loaded  onto  a  hard  disk,  but  operating  the 
program  requires  the  presence  of  the  prolok  flexible  disk  to  decrypt  the 


program  resident  on  the  hard  disk.  ^ 

An  advanced  product  under  development  will  permit  the  program  to  be  shared 
(as  authorized)  among  users  in  an  LAN. 

A  hardware  technique  under  development  modifies  utilized  vendor  disk  drives 
to  create  software  diskettes  that  place  marginal-strength  pulses  in  selective 
locations  in  a  program. 

Personal  computers  ore  able  to  read  the  weak  pulses  and  execute  the 
program,  but  the  pulses  are  too  weak  to  permit  copying  onto  another 
disk. 

The  technique  can  be  used  to  control  the  number  of  times  a  program  is 
used  before  it  becomes  inoperable. 
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SUMMARY 


A  combination  of  strategies  involving  nnotivating  people  and  selectively  using 
technology  are  necessary  to  protect  the  corporate  software  and  systems 
investment. 

A  flexible  approach  to  security  in  on  Information  system  environment 
characterized  by  rapid  technological  change  and  increasing  user  involvement 
is  the  optimal  overall  strategy  to  pursue. 

This  study  has  shown  that  no  one  single  or  indeed  no  small  group  of  strategies 
can  ensure  adequate  protection  to  corporate  information,  Including  software. 

y^he  principle  of  layering  or  putting  up  a  number  of  independent  (hopefully, 
simultaneous)  roadblocks  that  make  penetration  very  time  consuming  and 

costly. probably  the  most  important  of  a  number  of  cTratogics-to  pursue,  ^\ 

^  __^J>^^— ______  5pecif.'c  W  J 

The  dimensiorj^of  the  strategy  thnt  fnrmfi  thp  tripnd  itff  prntprt  the  corporate 
investment  in  information  systems  anCf^software,  people,  administration,  and 
technology  are  shown  in  Exhibit  VII- 1. 
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PEOPLE  COUNT 


Involvement  of  top  management  is  a  must  in  order  for  corporate  information 
systems  and  software  security  to  be  effective. 


Selection  and  placement  of  a  security  director/ (backed  by  management)  is 


critical  to  security  planning,  implementation,  and  administration. 

In  the  final  analysis  the  corporate  information  system  and  software 
investment  is  protected  by  the  user  (people).  Multiple  strategies  are 

e 

necessary  to  highten  people's  awareness  of  and  commitment  to  protecting 
corporate  information: 

Background  investigation  prior  to  hiring  in  order  to  increase  the 
probability  of  employee  trustworthiness. 

New  employee  acknowledgement  of  security  responsibility  upon  hiring. 

Definitive  corporate  information  security  policy  promulgated  by  top 
management  and  kept  current. 

A  program  of  employee  education  to  small  groups  and  at  frequent 
intervals. 

Security  performance  evaluation  as  part  of  the  annual  and  merit  review 
process,  with  employee  reacknowledgement  of  security  responsibilities. 

Publication  of  a  corporate  code  of  conduct  that  has  clear  sanctions  for 


Separation  of  sensitive  duties  among  employees  to  minimize  individual 
fraud  and  make  collusion  very  difficult. 


abuse. 

A 
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y^curity  debriefing  and  acknowledgennent  of  post^ployment 
responsibilities  with  repect  to  corporte  infornnation, 
termination  procedure^  /\  '/^ 


B.       ADMINISTRATION  NECESSARY 


Tliere  ore  a  nunnber  of  administrative  strategies  available  that  primarily 
relate  to  the  physical  security  of  corporate  information  systems  and  software. 


s/th€ 


o        A  software  librarian  ensures7the  authorized  possession,  distribution,  and 
documentation  control  of  corporate  software. 

o        An  adeayate  fire  protection  system  (preferably  halon)  affords  a  high  degree  of 
systemsjand  software  survivability. 

o        A  strategy  of  storing  two  copies  of  the  corporate  information  system  and 
application  software  (encrypted)  in  separate  locations  assures  disaster 
recovery. 

o        Corporate  information  system  applications  software  can  be  protected  through 
copyright  and  trade  secret  law. 

o         Insurance  is  becoming  a  more  popular  strategy  for  giving  additional  protection 
to  the  corporate  software  investment. 
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c. 


TECHNOLOGY,  THE  CORE  DEFENSE 


o        The  importance  of  security  has  spawned  a  number  of  technology  options,  some 
still  emerging,  which  are  at  best  struggling  to  keep  pace  with  technogical 
Innovation  in  distributed  processing,  LAN,  and  micro-driven  office  automation 
intelligent  terminals. 

o        Some  security  monitors  are  more  successful  than  others  and  add  on  to 
already-inefficient  existing  operating  systems.  These  monitors  emulate 
security  kernelsy^nd  provide  a  satisfactory  degree  of  mediation  between 
subjects  (users)  and  objects  (resources). 

o        Telephone  access  controllers  are  the  most  recent  addition  to  mediating  access 
between  users  and  hosts  in  rapidly  expanding  remote  telecommunications 
(primarily  dial-up)  networks. 

o        Microprocessor-encapsulated  "smart"  cards  promise  to  add  another  layer  of 
validation  for  the  user  and  to  add  authentication  for  interconnections  and 
transmissions  between  users  and  processors. 

o        Encryption  (software  and  hardware)  is  on  a  rapidly  decreasing  cost  curve. 
Private  and  eventually  public-key-driven,  encryption  is  becoming  a  viable 
strategy  for  secure  transmission  and  authentication  of  information  between 
and  at  distributed  processing  nodes. 

o        Fiber  optics,  particularly  for  new  construction,  offers  highly  cost-effective 
security,  particulary  for  LANs. 

o        A  number  of  products  are  becoming  available  or  already  exist  to  protect  the 
corporate  system  and  software  investment  as  microprocessors  proliferate 
among  corporate  users.  The  two  most  promising  appear  to  be  the prolock 
secure  disk  storage,  which  prevents  access  to  and  duplication  of  vendor- 
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puchased  orVin-house-developed  system  and  applications  software,  and  the 
Intel  1 6-bit  ;APX286  microprocessor,  which  incorporates  hardware  security 
features  and  should  soon  permit  the  development  of  an  efficient  UNIX 
security  kernel  for  standalone  and  LAN  computing  environments. 

Many  strategies  are  available  for  designing  security  into  system  and 
application  software.  Placing  all  security-related  functions  in  an  operating 
system  kernel,  providing  memory  protection  by  segmenting  virtual  memory, 
implementing  privileged  execution  domains,  and  mediating  access  through  a 
reference  monitor  are  all  strategies  for  developing  secure  coporate 
information  operating  systems. 

Security  strategies  for  development  and  application  software  include:  formal  _^ 
structured  design  methodology/structured  programmingf^ta  abstraction  ^^O't^^^jjt^ 
including  information  hidingf^pprated  and  formal  validation  to  uncover  ^^""^h^'^^Sl 
trapdoors  and  possible  Trojan  hope  attacks|\af}^  maintenance  procedures^^y^ 
including  formal  change  controlf  periodic  matching  of  production  programs  to 
the  master  library  Copland  utilization  of  software  aids  that  permit 
decompilation,  disassembly,  and  testing  for  dead  code,  unspecified  or  unusual 
output,  or  cleared  scratch  pad  memory  and  auxiliary  storage. 
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APPENDIX  A:  DEFINITIONS 


Access;  The  ability  to  use  a  resource. 

Access  Control;  Granting  a  suitably  authorized  request  for  access  to 
information  system  resources. 

Attack;  An  attempt  to  ^f f ect  unauthorized  access. 

Audit;  Use  of  a  log  in  determining  whether  access  is  controlled  in  accordance 
with  management  policy  and  generally  accepted  accounting  practices. 

Authenticate;  To  determine  the  accuracy  of  a  user's  identity  or  a  message's 
certification  of  its  time  or  place  of  origin. 

Authorize;  To  permit  the  use  of  a  sensitive  resource. 

Browse;  Unauthorized  reading  of  data  in  the  hope  of  attaining  useful 
information  whose  specific  location  is  not  known  by  the  browser. 

Category;  An  aggregation  of  sensitive  resources  formed  to  facilitate 
authorization. 

Class;  A  level  of  authorization  applied  to  a  set  of  users.  These  users  may 
read  all  data  whose  class  is  equal  to  or  less  than  their  own. 
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Create;  Develop  and  associate  a  resource  with  an  identifier. 


Destroy;  Cause  a  resource  to  cease  to  exist. 

Diddle;  To  write  (data)  with  an  intent  to  confuse  or  deceive. 

Disconnect;  To  deny  access  to  the  system  resulting  from  repeated  attempts 
to  have  a  user's  claim  of  identity  authenticated. 

Discretionary  security;  Asssignment  of  rules  to  specify  who  is  allowed  what 
type  of  access  to  which  objects.  Discretionary  security  allows  those  who  own 
a  segment  of  data  to  decide  who  can  have  access  to  it. 

Encryption;  A  process  for  protecting  program  and  data  that  must  be  stored  on 
or  transmitted  over  media  that  cannot  be  otherwise  protected  against 
unauthorized  monitoring. 

Cryptography;  a"form  of  access  control  applicable  to  sensitive  resources  that 
are  beyond  the  scope  of  program  access  control  and  physical  access  control. 

Exhaustion;  An  attack  carried  out  by  entering  all  possible  values  (for 
example,  of  a  password)  and  trying  to  supply  a  secret  quantity  unknown  to  the 
hacker. 

Group;  A  set  of  users  selected  to  facilitate  authorization. 

Hacker;  An  individual,  usually  outside  a  corporate  organization,  who  attempts 
to  gain  unauthorized  access  to  the  corporate  information  system  through 
random  or  systematic  attacks. 

Identifier;  a  value  uniquely  associated  with  a  user,  a  group  of  users,  or  a 
sensitive  resource. 
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Individual-based  Authorization;  Permitting  or  denying  access  to  users 
according  to  previously  recorded  individual  authorization,  with  that  ^ 
interaction  accompanying  a  request  for  access  (individual^<jl  os  coiitius!  I©—  ra+i^ 
resource  based). 


Interval:  The  maximum  length  of  time  that  a  user  may  use  a  particular  value 
(such  as  a  password)  as  data  for  authentication. 

Kernel;  A  security  kernel  is  a  hardware/software  mechanism  that  contains  all 
security-relevent  operating  system  functions.  Implementations  may  contain 
one  component,  called  the  kernel,  which  enforces  a  specified  set  of  security 
rules.  Other  components  are  called  trusted  processes. 

Last-used;  The  time  log  when  a  particular  user  most  recently  made  use  of  the 
system. 

List;  A  set  of  authorizations  that  are  applied  to  one  resource  or  to  a  set  of 
resources. 


Log;  Data  recorded  about  authorizations  and  requests  for  access. 

Mandatory  security;  The  enforcement  of  a  security  policy  that  uses  a  fixed 
security  classification  such  as  top  secret,  secret,  etc.  to  determine  access. 

Masquerade;  Someone  posing  as  another;  a  mechanism  used  in  an  attack. 

Password;  Data  a  user  provides  for  purposes  of  authentication. 

Penetration;  An  unauthorized  access  that  gives  the  hacker  control  of  the 
system;  a  type  of  attack. 

Physical  data;  Anything  other  than  magnetically  recorded  data  to  which  the 
system  can  control  access;  concerns  portable  media  in  computer  centers  and 
libraries. 
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Program;  Magnetically  recorded  data  to  which  the  system  can  control  access. 


Protocol;  A  procedure  for  communicating  between  two  or  more  nodes  of  a 
network. 

Query;  A  request  for  information  from  a  data  base;  specifically  one  for  data 
collected  from  a  number  of  records,  and  presented  as  a  sum,  average,  etc. 

Read;  To  acquire  data. 

Reduce;  To  process  logs  so  as  to  extract  only  the  data  needed  for  auditing 
purposes. 

Reference  Monitor;  A  computer  system  component  that  checl<s  each 
reference  from  subject  (users  or  program)  to  object  (file,  device,  user,  or 
program)  determine  if  the  access  is  valid. 

A 

Request;  An  application  for  the  right  to  affect  access  to  sensitive  resources. 

Residual;  Data  left  after  a  process  is  completed;  undestroyed  residual  data  is 
subject  to  attack  by  a  browser. 

Resource;  Any  service,  capacity,  device,  or  data  accessible  by  a  system. 

Resource-based;  Permitting  or  denying  access  to  users  according  to  their 
ability  to  provide  authenticating  data  and  association  with  a  resource  request. 

Salami;  An  attack  involving  many  small  amounts,  for  example  a 
misappropriation  of  very  small  sums. 

Sensitive:  A  resource  of  sufficient  value  such  that  access  control  is  desired. 
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Scavenge;  Conduct  an  attak^  by  browsing  through  discarded  printed  material. 

Sign;  Appended  to  a  collection  of  dat^,*'authenticat+F»9  data  indicative  of  the 
sender,  place,  time,  origin,  etc. 


System  Integrity;  The  extent  to  which  a  system  resists  penetration. 

Ticket;  An  authorization  that  is  associated  witl^user  for  a  specific  time  or 
limited  number  of  accesses. 


Time  Bomb;  A  routine  that  for  the  programmer's  own  purposes  executes  an 
attack  after  a  set  time. 

Time  Stamp;  Authenticating  data  indicative  of  the  time  that  an  event  took 
place  (for  example,  the  sending  of  a  message). 

TOCTTOU  (time  of  check  to  time  of  use);  Failing  to  protect  data  between 
the  time  that  the  system  validates  its  data  and  the  time  that  the  system  uses 
the  data,  thus  permitting  penetration. 

Tracker;  A  query  or  set  of  queries  designed  to  make  it  possible  for  a  user  to 
set  data  base  information  without  proper  authorization. 

Trap-door;  An  exit  or  hook  that  permits  easy  access  to  a  system  or  new  code 
to  be  easily  added  to  a  (jjiogram;  a  mechanism  used  in  an  attack. 

Trojan  Horse;  A  routine  that  does  not  contribute  to  the  documented  function 
of  the  program  that  contains  it,  but  instead/ is  something  the  program's 
developer  would  prevent  if  possible  (a  routine  that  takes  advantage  of  the 
program's  security  level  to  effect  unauthorized  access). 

Y  A 

Trusted;  A  component  that  can  be  relied  on  to  aai  enforce  the  relevant 
security  policy. 
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Use;  Access  to  a  resource  for  the  purposes  for  reading,  writing,  creating,  or 
destroying  it. 

Write;  To  modify  data. 

Zap;  An  unauthorized  modification  of  a  program  that  the  user  does  not  have 
authorization  to  use. 


-  6  -  (U-SPR-AppA)  PH  8/23/84 


c 


9 


APPENDIX  B:         RELATED  INPUT  REPORTS 


o        New  Issues  In  Computer  Security,  December  1 982. 


-  I  -  (U-SPR-AppB)  PH  8/23/84 


I 


"I 


ESTABLISH  A  BASELINE 
FOR  INFORMATION  SYSTEMS 
AND  SOFTWARE  PROTECTION 

•  Involve  Top  Management 

•  Carefully  Select  and  Place  Security 
Director 

•  Motivate  Users  to  be  Responsible 

•  Use  Multiple  Physical  Protection 
Strategies 

•  Layer  Technology  as  the  Core  Defense 


©1984  by  INPUT.  Reproduction  Prohibited. 


INPUT 

USPR 


c 


EXHIBIT  11-2 


SECURITY  PROTECTION  IS 
A  THREE-DIMENSIONAL  ASSESSMENT 


Technology 


•  Host  Processors 

•  User  Networks 

•  Intelligent  Terminals 
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EXHIBIT  11-3 

LAYERED  TECHNOLOGY  IS  THE 
CORE  DEFENSE 

Intelligent  Terminals  User  Networks 

•  Secure  /    \     •  Encryption 

Microprocessors 

•  Autlientication 

•  Secure  Microdisks  /  Corporate^ 

Y  y  /   Information   \      •  Fiber  Optics 

•  Terminal  i1dJ$         /     Systems  and 

Software        \      •  Telephone  Access 
•  Smart  Cards  /  \  Controllers 


Host  Processors 

•  Security  Monitors 

•  Secure  Operating  System  Kernels 

•  Formal  Design  Methodologies 

•  Structured  Programming 

•  Change  Control 
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EXHIBIT  111-1 


DEFENSE  AGAINST  POSSIBLE  THREATS  TO 
CORPORATE  INFORMATION  SYSTEMS 


Hardware 
Reliability 

Software 
Reliability 

Communications 
Reliability 

Applications 
Reliability 

Human 
Reliability 


Espionage 


Strikes 
and  Work 
Stoppages 


Sabotage 


Legal  Requirements 
Social  Responsibility 
Libel  Suits 
Bomb  Threats 
Intense  Competition 
New  Responsibilities 


Fraud 


Ice  and  Snow 
Mischief 
Rain  and  Mud 


Theft 


Industrial  Accident 

Loss  of  Power 

Communication 
Water 
Sewer 


— Threat 
Defense 
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EXHIBIT  III-2 


INFORMATION  SYSTEMS  CODE  OF  CONDUCT 


The  information  systems  department  is  entrusted  with  computer  programs, 
supplies,  data,  documentation,  and  facilities  that  are  continuously  growing  in 
size  and  value.  We  must  maintain  visible  standards  of  performance,  security, 
and  conduct  that  aid  in  our  efforts  to  assure  the  integrity  and  protection  of 
these  assets.  The  following  policy  should  be  used  in  conducting  on-the-job 
activities.  The  success  of  this  program,  however,  requires  that  each  member 
of  the  information  systems  organization  maintain  an  awareness  of  the  value  of 
the  information  with  which  he  or  she  has  been  entrusted.  Violation  of  this 
trust  is  grounds  for  disciplinary  action^^including  immediate  dismissal.  IS  must: 

•  Conduct  all  activities  to  preclude  any  form  of  dishonesty,  such  as  theft/or 
misappropriation  of  money,  equipment,  supplies,  documentation,  computer 
programs,  or  computer  time. 

•  Avoid  any  act  that  compromises  ©rw^  integrity,  such  as  falsification  of 
records  and  documents  or  unauthorized  modification  of  production  programs 
and  files.    Refuse  gratuities  from  vendors,  agencies,  or  other  resources. 

•  Avoid  any  act  that  may  create  a  dangerous  situation,  such  as  carrying  a 
concealed  weapon  on  organization  premises;  assaulting  another  individual; 
or  disregarding  property,  safety,  and  security  standards.  / 

•  B«r  Qot  use  intoxicating  liquors,  narcotics,  or  drugs  while  at  work.  Pn  not, 
report  to  work  while  under  the  influence  of  same,  or  in  any  other  way 
report  in  a  condition  unfit  for  work. 

•  Maintain  courteous  and  professional  relations  with  users,  associates,  and 
supervisors.  Perform  job  assign^nts  as  requested  by  supervist^or 
management  and  do  so  within  the  standards  of  performance  and  security. 
Report  any  observed  violations  of  conduct  or  security  as  soon  as  possible. 

•  Adhere  to  the  no-solicitation  rule,  and  all  other  employment  policies. 

•  Protect  the  confidentiality  of  sensitive  information  with  regard  to  competi- 
tive positions,  trade  secrets,  or  assets. 

•  Exercise  sound  business  practice  in  the  management  of  company  resources, 
such  as  personnel,  computer  usage,  outside  services,  travel,  and 
entertainment. 
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EXHIBIT  lV-1 


LEVELS  OF  SECURITY 


LEVEL 

OPTION 

ADVANTAGES 

DISADVANTAGES 

1 

Passwords 

Low  Cost 

Most  Vulnerable 

I 

Terminal  liDjS 
^ 

Low  Cost 

1  nflexible 

3 

Security 
Monitors 

Good  Security 
Audit  Trail 

High  Cost 

Needs  Administration 
Susceptible  to  Systems 

1  1  vJLji  aiillllcr  3 

4 

Encryption 

High  Security 

Major  Cost 

Degrade  System 
Performance 

Needs  Administration 

5 

Telephone 
Access 
Controllers 

Good  Internal  Security 
High  External  Security 
Good  Audit  Trails 
Analog  System 

Internal  Security 
^Susceptible  to 
^Systems  Programmers 

6 

Smart  Cards 

Very  High  Security 
Authentification  of  Both 
uljer  and  Host 
Flexible 

Currently  High  Cost 
Needs  Administration 
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EXHIBIT  IV-2 
LEADING  SECURITY  MONITORS  FOR 
IBM  PLUG-COMPATIBLE  SYSTEMS 


SECURITY  MONITOR 

FUNCTION 

ITEM 

SAP 

«J  A\  v-i 

A^/ 

Seriir-p/ 

Compatible 

MVS 

• 

• 

• 

• 

• 

• 

with 

Operating 

V  <J  1 

• 

• 

• 

Systems 

OS/MVT 
DOS/VSE 
SVS 
VM 

w 

• 

• 

• 
• 

1 10  and 

TSO 

e 

• 

• 

• 

• 

• 

Data 
Systems 

IMS 

• 

• 

• 

• 

Protected 

CI  cs 

Roscoe 

• 
• 

• 

• 

• 
• 

• 

• 
• 

Functions 

JES  /JCL/SCAN 

• 

Controlled 

Allocate 

• 

• 

• 

Scratch 

• 

• 

• 

• 

Open 

• 

• 

• 

• 

EOV 

• 

• 

• 

• 

• 

Catalog 

• 

• 

• 

Recatalog 

• 

• 

• 

Uncatalog 

• 

• 

• 

Rename 

• 

• 

• 

• 

Password 

Inserts  Password  on 

Support 

Submit 

Changes  Passwords 

Forces  Password 
Change  at  Established 
Intervals 

Logs  Password  History 

Warns  of  Password 
Expiration 

• 

• 
• 

• 
• 

• 
• 

• 

0 

• 

©1984  by  INPUT.  Reproduction  Prohibited. 


INPUT 

USPR 


EXHIBIT  IV-3 


TELEPHONE  ACCESS  CONTROLLER 
SECURITY  SYSTEM  INTERFACE 


User 
Terminal 


Host  Computer 
t 


Dial  Access 
Communications  Ports 


Digital 
Signals 


Encryption  System 


Digital 
Signals 


Modem 


Analog 
Signals 


Telephone  Access 
Controller 


Analog 
Signals 


Telephone  Communications 
Network 


Encryption 


Modem 


Mod  em 


Encryption 


User 
Terminal 
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EXHIBIT  IV-4 


SMART  CARD  FUNCTIONAL  DESIGN 


EXTERNAL 
INTERFACE 


Smart  Card 


Data 
and 
Power 
Connectors 


Chip 


Read-Only 
Memory 


Microprocessor 


Random  ^ 

Access 

Memory 


Program  Read^ 
Only  Memory 


User 
Memory 
MAP 


Terminal  ID,  Name, 
Other  Data 
(Open) 


Personal  ID 
Transactions 
(Confidential) 


Authentication  Key 
Issuer  Key 
Personal  Key 
Security  Key 
(Secret) 
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EXHIBIT  V-1 


IMPLEMENTATION  OF  DISCRETIONARY  SECURITY  POLICY 


MATRIX  CONTROL 


OBJECTS 


Subjects 

User  1 

User  2 

Accounting 
User  3 
Application  1 
Application  n 


^ 


Read 
Write 
Execute 


Execute 


Read 


Read 


Read 
Write 


Read 
Write 


Read 


Read 


Read 
Write 


LIST  CONTROL 


File  B 

Access  Control  List 


User  1  Read 


Accounting  Read 


User  3   Read  Write 


Discussed  in  Text 
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EXHIBIT  V-2 

SECURE  INFORMATION  SYSTEMS  EXECUTION  DOMAINS 
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EXHIBIT  V-3 


ARBITRATION  OF  USER  QUERIES 
TO  PROTECT  DBMS  RESOURCES 


User  Enters 
Query 


Value- Independent 
Access  Constraints 
Checked 


Q  uery 
^Rejected 


Value- Dependent 
Access  Constraints 
Appended  to  Query 


Standard  Query 
Execution 


Result  Returned 
to  Query 


Records  May 
Be  Rejected 
.Based  On 
Value- Dependent 
Constraints 
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EXHIBIT  VI-1 

SECURE  MICROCOMPUTER  INFORMATION  SYSTEM  FUNCTIONAL  DESIGN 
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EXHIBIT  VI-2 

ADAPSO  GUIDELINES  FOR  MICROCOMPUTER  SOFTWARE  SECURITY 


ITEM 

GUIDELINES 

Cost 

•  Low  to  end  user 

\s 

•  Cost  to  install  small  part  of  total  system  manufacturing 
cost  ^ 

udbc   OT  US6 

•  Ease  of  installation 

•  Transparent  to  end  user 

•  No  effect  on  program  execution,  speed  or  performance 

•  No  complex  rules  or  keys  to  remember 

•  User  can  make  backup  copies 

Installation 

•  Simple  for  manufacturers  to  install 

Availability 

•  Widely  available  to  all  software  publishers 

•  Can  be  used  with  all  types  of  software  requirements 

Hardware 
Requirements 

•  Can  be  used  on  all  floppy  disk  sizes  and  formats 

•  Minimal  use  of  RAM 

•  Can  be  used  on  hard  disk 

•  Used  on  wide  variety  of  microcomputers 

•  Transferal  to  other  computers 

•  Can  be  transferred  with  computer  to  new  owner 

Operating 
System 
Requirements 

•  Used  on  wide  variety  of  operating  systems 

•  Does  not  interfere  with  operating  system 

•  No  new  definitions  to  operating  systems 

Protection 

•  Provides  security  from  duplication  by  end  user 

•  Protects  software  from  external  duplication 
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EXHIBIT  VII-1 


STRATEGIES  TO  PROTECT  THE 
CORPORATE  INFORMATION  SYSTEMS  AND  SOFTWARE  INVESTMENT 


PEOPLE  COUNT 

•    Top  Management  Responsible 

•    Security  Director 

•    Background  Investigation 

•    Hiring  and  Termination 
Procedures 

•    Corporate  Security  Policy 

•  Education 

•    Persona!  Security 
Evaluations 

>    Code  of  Conduct 

Separation  of  Duties 


ADMINISTRATION 
NECESSARY 

Documentation  Control 

Fire  Protection 
•    Disaster  Recovery 
Legal 
Insurance 


TECHNOLOGY, 
THE  CORE  DEFENSE 

Passwords  and  Terminal  IDs 

Security  Monitors 

Telephone  Access  Controllers 

Smart  Cards 

Encryption 

Fiber  Optics 

Secure  Microprocessors 

Secure  Microdisk  Storage 

Security  Operating  System  Kernels 

Formal  Design  Methodologies 

Structured  Programming 

Change  Control 
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CONFIDENTIAL 


IINPUT  QUESTIOMsiAIRE 


STUDY  TITLE: 

TYPE  OF  INTERVIEW:    H  VENDOR       □  TELEPHONE 

□  USER  n  ON-SITE 

□  MAIL 

INTERVIEWER: 

COMPANY:  CO.  TYPE: 

ADDRESS:  SALES: 


CATALOG.  NO 
SIC.  CODE 
SIZE  CODE 
AREA  CODE 
STUDY  CODE 
DATE 


R 


MM   DD  YY 


CITY: 


STATE: 


//  EMPL: 


ZIP: 


INDUSTRY  □ 

□  discrete  MANUFACTURING 

□  process  MANUFACTURING 

□  transportation 

□  medical 
□services 

interviews 


□  utilities 

□  retail 

□  banking 

□  wholesale 

□  other 


□  insurance 

□  government-  federal 

□  government-state  &  local 

□  education 


name 


title 


telephone  no. 


SUMMARY 


references 


CATALOG  NO.  lUISIPIRI  I  I  1 


PROTECTING  THE  CORPORATE  SOFTWARE  INVESTMENT 
VENDOR  QUESTIONNAIRE 

1.      What  products /services  do  you  offer  related  to  program /data  security? 

Number  of 

Product  Name                       Users  Price  Range 

1.       

2.       

3.      

4. 


2.      What  mainframe/mini  operating  systems  do  you  support? 

IBM         Burroughs    Honeywell  DEC  H-Tp 


Mainframe/ 
Minis 


Others 


Operating 
Systems 


-1- 
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CATALOG  NO.  lUISIPIRI  I  I  1 

3.      What  are  the  levels  of  program /data  security  that  your  products  provide? 
□  Personal 


□  Terminal 
Program 
EH  File 
CH  Data 


4.      How  are  audit  trails  provided? 


-2- 


INPUT 


CATALOG  NO.  IUI5IWI  I  I  I 


5.      How  does  the  product  provide  for: 
Multi-CPU  Environment/Site 


Multisite  Environment 


Distributed  Environment 


To  what  extent  does  the  product /system  provide  for  protecting  the 
program /data  by  encryption? 


[U  None  n  DES  CH 


Other 


7.      What  modifications  are  necessary  to  incorporate  the  product  into  the 
operating  system  environment? 


None 


□ 
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CATALOG  NO.  lUISIPIRI  I  I  1 

8.     What  is  the  overhead  associated  with  the  use  of  your  product? 

CZl  System  Efficiency:   


d  User 


Access : 


9.      What  products  do  you  offer  in  relation  to  program /data  security  for 
personal  computers? 


□ 


None 


□  (Compatible)  Apple  □  DEC  □ 


(Compatible)  l_l  Apple  LJ  DEC  LJ  Others 


Product 
Name 

Operating 
System 

Users 

Price 
Range 


10.    How  is  program /data  security  accomplished  for  personal  computers? 
□  Hardware 


□ 


Software 


□  oi 


□ 


SC 
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CATALOG  NO.  lUEIPIRI  I  I 

11.    Who  (up  to  3)  are  your  major  competitors? 

Mainframe/Mini  Micro 

Vendor  1.  

2.     

3. 


12.    What  are  the  trends  you  see  in  providing  program /data  security? 
LZ]  Hardware 


□ 


□ 


Software 


Market 
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